Buying online vs. buying over the phone

Both methods can have their risks but overall online will be safer. The key reasons for this are that ...

Infosec Crystal Ball 2011

Flikr circulating
Seems a popular topic as we come towards the end of 2010. What will be the top 5 security trends / events for 2011:

Why you should use a password vault

Passwords are an annoying necessity in today's world, should you use a password vault to ease the burden? Recent attacks like Gawker media has also got people thinking about stronger passwords. Here are some of the pro's and cons of password vaults:

In security is it better to be black and white?

As a security professional today is it better to see the world in black or white and have a firm view on what is needed to be secure or is better to take a risk based approach, explain the trade-off's and allow someone else, say the business to make the decision?

Practical and Cheap PCI-DSS Compliance for SME's

PCI  smacks SME out of the park. Source Flickr

PCI-DSS compliance for SME's does not have to be prohibitively expensive and difficult. Like many tasks achieving compliance can seem daunting until you break it down into some smaller tasks and just make a start. I run a niche security consulting firm and have a bit of experience in this area having worked for major financials and founders of PCI, this some practical advice which will hopefully assist SME's with the difficulty and cost of compliance

Disrupting online payments

In the UK consumers are predicted to spend £8.1 this Christmas, a growth of £1.2 from last year and accounting now for nearly 10% of all Christmas spending. Despite this growth, online payments has lacked real disruption and innovation. Most of the of the time consumers still enter their credit or debit card details on each and every merchant site, Nielsen says that 60% online shoppers still use a credit card. The alternatives are still in the minority: Paypal has about 14% of the global e-commerce market according to Business week, Nielsen says closer to 25%. Google checkout and Amazon checkout and similar schemes are a lot smaller than that. There is still a massive market opportunity for a disruptive technology and plenty of room for online commerce to grow by converting those offline consumers with a more secure and convenient proposition

Improving the ROI of SIEM, logging and security monitoring

Major security incidents are very rare in most organizations. They are typically a three or even six sigma event, way down on the long tail of possible events. Like most other events that fit this profile (e.g. a correlated fall of 10% or more in the share market) they can also have a major impact on an organization even leading to bankruptcy. As the global financial crisis showed us though these events, called Black Swans by Nassim Taleb do happen and often not in the way we think they will. Unlike financial markets, while they seem ideal for risk transfer, insurance will not help restore your brand.

This is the reason that most companies invest money in a security department, process and technology (OK it is really regulation but lets say it is partially prevention, detection and recovery from security incidents also). Security monitoring is often seen by regulators and auditors as a key control in a holistic and effective information security strategy. However it is difficult to prove the Return on Investment (RoI) on security monitoring for most organizations, and even Risk Reduction on Investment (RRoI) is difficult to quantify. This post is about some simple strategies to improve that visible RoI.

Rich vs thin client 2.0? Native app or mobile web app for your business?

Mobile Internet usage continues at breakneck pace, and just like when the Internet was emerging in the 1990's virtually all businesses from start-up, small, medium to the largest blue-chips are examining (or should be examining) how best to get a piece of the pie. One of the first questions faced when answering this is whether to build or buy a mobile web application or a native application. As always both have their advantages and trade-off's, and I thought the Wired article was not very usefull so I thought I would write this.

Beating crackberry: if Apple, Google and Microsoft were serious about enterprise smartphones

There is a lot of interest from corporate users in the iPhone and iPad and Android devices, and maybe even the Windows mobile 7 (we will wait and see), however Apple, Google and Microsoft are yet to really break the RIM stranglehold on the enterprise market. There is really only one thing that holding them back.

This article adds to my post on securely deploying iOS and Android devices in the enterprise.

Lose your phone not your mind: recovering from a lost or stolen iPhone

A friend of mine recently lost her iPhone at Oktoberfest and it reminded me that many people are unaware of simple measures they can take to make their phone simply a temporary vessel, if the current body is killed, simply download and reboot in a new one (ok too much BSG)

These tips are very iPhone centric as thats what I know, but I'm sure they would not be very hard to replicate on an Android or other smartphone as most are related to web apps. If anyone wants to add some of the ways of doing the same for their smartphone in the comments or send me the link to their blog I will include it in the article. Also it is Windows centric, I'm sure all this is easier on a Mac and any port to the Linux world would also be appriciated.

Legally blond: why you do not need a 50 page security schedule

As business increasingly moves to purchasing IT as a utility from the  cloud, and more IT is outsourced and purchased as a service, there is a corresponding increase (perceived or actual) in risks relating to supplier security. A security incident at an outsourced provider and the concerns over IT being “out of my control” is a worry for many companies and maybe holding them back from realising the cost and scalability benefits on offer.  Having security clauses in a legally binding contract is one of the main mitigations for this risk. However I believe most companies either ignore security completely in the contracting process, or go too far the other way with massive security schedule that attempts to cover every possible contingency. This is an attempt to present a risk based middle path.

Power corrupts: risks from new US wiretap laws

New, expanded, wiretapping rules are being discussed. What are the privacy issues this raises? What are the other personal liberty implications of such rules, differences between monitoring voice and data and some potential solutions that balances national security and privacy requirements?

Farming at work: social media in the enterprise

How do you make social networks safe for work? Also some key risks and strategies for tracking productivity. Joins my recent article on the Twitter virus and previous article on Data loss prevention

Twitter hacks: lessons for users and Twitter

What are the risks - to both consumers and companies - of social media-borne hacks, attacks, malware, etc.? Was this latest Twitter attack a wakeup call? Also what users could do to protect themselves and what Twitter could do to avoid future incidents

Security metrics: If you do not measure something why even bother doing it?

If those in the IT/Information security industry applied the concept of if you do not measure why even bother doing it, we would all be out of a job! This especially includes all those CISO's and top management: going to meetings, conferences and replying to emails provides no value unless you can measure it and demonstrate where it does. Security metrics is relegated to the trough with awareness and policy, usually pushed to the new starter or female (just j/k) in team. This is unfortunate though because if there is one thing that the success of something like Google Adwords and the revolution in A/B testing should have taught us is that: there is great value in being able to measure the effectiveness of something. There is a good reason why you are not considered Capability Maturity Model (CMM) level 4 until you can measure how well your process or capability is at delivering the desired results. The old adage still holds true: you can't improve what you cannot measure.

There are plenty of articles on security metrics but this one as true to form will be simple, practical and contrarian. Although according to Jennifer from "I am not sure there is much contrarian in the post, other than that an random engineer will be better at security metrics than a security person. That may be worth a lightning". Other than WTF is a lightning, maybe it is not contrarian but just common sense but definitely not as common as I would like to see. Read on....

Privacy in an Age of Augmented Humanity

The inspiration for this post was the key note from Eric Schmidt (CEO of Google). Some of the things that Eric is talking about are straight from Minority Report but some are with us right now or will be within the next couple of years. I find a lot of these technology enhancements incredibly exciting but I know many will have concerns over privacy and security. So to mitigate some of  the FUD that I'm sure will come, let me present a way the majority of concerns can be placated upfront. I will analyse some of these innovations against the EU privacy principles and the laws of identity with the view that, being early in the piece, security and privacy can be baked in and this can be done right to avoid problems later on.

This joins my other privacy and identity related articles: social location services and review of corporate identity management against the identity laws

Your data centre has just blown up

Source Flikr
Just as 9/11 passes I thought this was a pertinent time to say: the fact that your primary data centre will fail is not a question of IF but WHEN (ok that sounded a bit like FUD). Still, it pays to be prepared and unlike most security risks this real not theoretical and the business actually cares if your systems are working (as opposed to secure).

This joins my other non security pieces: a smarter more social bank, preparing for chrome living without Windows and turning bankers into engineers in a decade.

I wrote this as a response to a question on help a reporter on my iPhone on the tube returning from work, and thought it maybe of interest to you also.

3 Million reasons to encrypt your Blackberry

Source Flikr. Creative Commons
The next major security control to become a norm will be full disk encryption of mobile devices, especially Blackberry’s.

This is another chapter in the lessons learned series joining: email encryption, removable media control and Data Loss Prevention (DLP). Also a companion piece to securely using iPhones, iPads and Android devices in the enterprise

Ten years ago and maybe even five years ago in some countries, laptop whole disk encryption and removable media encryption would not have been a priority. After a number of high profile data losses, including a £3 Million fine by the FSA of HSBC for loosing customer data, most organizations view this as a critical security control one of the few that needs to be explicitly specified in contracts.

Social location privacy - what is the fuss?

Source Flikr. Creative commons

The legendary "what is the fuss" series continues,  adding onto Cloud Computing and Virtualization. Social media location services are all the rage right now, Foursquare and Gowalla both being established players and the big boys like Facebook trying the me too strategy with Facebook places.
There has been discussion and to be fair a lot of FUD about privacy and security concerns about these services mainly from ill informed people on CNN, USA Today and the BBC. About time to have a considered discussion on the real risks......

Implementing email encryption: lessons learned

PGP Universal. 
Source Flickr. Creative Commons
I was involved in an email encryption implementation project towards the end of last year. Here are some of the lessons that I learned as well as some discussion around whether there is any point to email encryption in its current form today. Apologies in advance to my friends at PGP (now Symantec) but got to call it as I see it.

This is a companion lessons learned article to my ones on Removable media control and Data loss prevention. I have written this with quite a few technical PGP terms, I will explain some but get your background at

How real is the insider threat?

0 comments - Incidents by source
I am constantly amazed at how many norms or axioms there are in the information security field that are simply accepted and passed on to new recruits without real challenge or through falsification with data and/or logical argument. Examples include: internal IT is safer than outsourcing, physical servers are more secure than virtual, clear text transfers should be avoided at all costs and the threat from insiders is greater than external.

While there are nuggets of truth in each of these, and the answer is usually “it depends”, they are very rarely backed up by solid statistically significant, non survey based evidence and thinking has not been updated to keep up with industry trends and innovations in information security. They also seem be passed on from one CISSP (talk about a relic that belongs in the 1970’s) to another without really being challenged. I have discussed some of them such as cloud computing, virtualization and transport security in previous posts; in this let’s examine that last one: how real is the insider threat?

A smarter, more social bank

From a customer perspective I find banks extremely frustrating, difficult to deal with and behind the times. With the launch of Metro bank, the first UK high street bank to be launched in something like a 100 years in the UK, surely this was the time to do something different......

Journey of a thousand miles. Trials and tribulations of a tech startup

I thought I would write about what I have been really busy with lately: changing my company to more of a product based business with my software / security as a service application – Simple Security Risk Assessment.

I have had some interesting experiences thus far, mainly dealing with hiring an overseas developer. Hopefully you can learn some lessons from my experiences or at least get a laugh

I will keep adding to this as I go through the development and hopefully launch experience

Virtualization security - what is the fuss?

This is a bit of a companion piece to my Cloud computing security article. Just the other day I was amazed at the fear and trepidation that colleagues viewed putting everything on "one" machine i.e virtulization and the doom and gloom it meant for security. I mean seriously? Are we still here? Virtualization should now be viewed as a mature technology that can save you a lot of money and increase your scalability and speed to market. Again don't believe the FUD just do the basics well and you will be fine. Here is how....

Making DRM practical

I was reading an article today, that said keep your best ideas for your products. This is probably one of those but since I don't have the resources to do it I'm hoping that Adobe, Microsoft, Oracle or Google read this or someone at their companies suggests something similar.

Digital Rights Management (DRM) is broken. As a concept it is brilliant, it allows you to move security away from the infrastructure and to the information. Security travels with the information no matter where it goes. In practice currently it is badly broken, it is too hard to implement and use. I have some suggestions for fixing it....

Why don't Facebook, Twitter and Google support strong authentication?

Social media services such as Twitter, Facebook and Google are quickly becoming the defacto identity providers for the Internet. I signed up to Aardvark yesterday and I could use either my Google and/or Facebook account (I used both). My new web and mobile apps are going to support all of these. I mean why not? It is easier for the user (not another password and identity) and easier for the provider (no hassle of maintaining accounts, security authentication problems, password resets etc).

Can Chrome learn from iPhone jailbreak flaws?

The recent script kiddy jailbreak  (browser based on attacks on the iPhone 4.0 and 4.1 iOs led me to think can Google Chrome learn their lessons? This joins my other posts on iPhone and Android security and on using Chromium OS

How important is transport security really?

There seems to be a pre-occupation in the security industry about encrypting everything in transit (https/sftp/ssh etc), when the reality is there is a good argument that it is just not that important....

Stomping on ALE's grave

Short post: I belive they still teach Annualized Loss Expectancy (ALE) as a way of calculating security risk in the programs like CISSP. While I will write a whole post later on why CISSP is so outdated and irrelevant, ALE is one of the worst aspects. It should be killed and the grave stomped on thoroughly. Here is why....

Removable media control - lessons learned

I really should be completing my requirements doc but I keep playing with Chrome and Ubuntu, and when I see incidents like this still happening I have to write a short post on removable media control, Starcraft 2 is also now a major distraction :)

Why do banks ask you for your password when THEY call you?

Short post: why don't companies in the UK positively identify themselves before asking for a users password when they call you over the phone?

Cloud computing security - what is the fuss?

There are probably a number of good reasons why you shouldn't jump on the Cloud computing band wagon, but security should not be one of them and here is why....

Preparing for Chrome, living without Windows

A bit of a different blog post starting today, a living journal. I really belive that Microsoft Windows strangle hold on the personal and corporate OS market is under significant threat. As I have detailed before, any endpoint from anywhere, zero and thin client is the future and is starting now. Majority of corporate applications except Sharepoint and Exchange (and who needs those with Gmail and Google Apps) runs on Linux, end users want to use Macs, Linux, mobile OS like iOS, Android, Palm OS and Blackberry. Tablet PC's are great for certain use cases (presentations, video, ebooks, mindmapping) and Chrome OS will be the game changer that takes away Microsoft Windows 7 massive market share. Finally virtualization means that even if you can't live without Windows for 5% of tasks and hardware, run Chrome or Ubuntu and run Windows in Virtualbox / VMWare or vise versa - corporations can easily deploy these types of builds to zero client and thin client endpoints.

So in preparation for Chrome OS, I am going to run without Windows for 2 weeks and journal my progress here.

Follow along with your RSS reader so you can check updates on the train on your mobile. Please add your own experiences or advice as comments or links to your journal or blogs.

UPDATE: August 2010 - I am now continuing this as I experiment actually with Chrome OS

Laws of Identity in Practice

If you are not familiar with Kim Cameron's identity blog or his "laws of identity" they are worth a read. I have been involved in a number of identity management (IDM) projects so I thought I would analyse how I have found the laws applied in practice in banks in Australia and London. The laws are more applicable for designing identity systems and maybe not identity management systems but I shall press on and consider them in an enterprise context.

The FUD that is used to sell DLP

Reasonably short post again, I just read this article titled "Why your organization needs to implement DLP", and had to write about it.

Fixing verified by Visa

Ok short post again. What's wrong with verified by Visa / Mastercard securecode and how to fix it.

Turning bankers to engineers in a generation

Ok so I warned you that I will have some non-infosec postings on this blog, this is one of those: how do we fix this situation where most of the talent wants to be bankers to make the money and a lot lower percentage of truly gifted people want to be an engineers, scientists and entrepreneurs - you know those people that actually contribute to advancing the world?

Here is how...

iPhone and Android securely in the enterprise

I was recently doing some investigation, thinking and evaluating how to bring the iPhone and Android securely into the enterprise (also called Bring Your Own Device (BYOD). I was interested in implementing not just a point solution but as a strategic initiative that could still be deployed in phases.

The following diagram is a conceptual architecture of how I think think this should be done:

Apple class action - ridiculous but could be costly

Ok had some long posts so time for a short one.

I think the class action against Apple and AT&T is ridiculous but could be costly

Practical lessons learned from implementing a Data Loss Prevention (DLP) program

Last year I had a chance to be involved in implementing a data loss prevention tool (Symantec Data Loss Prevention) and also to evaluate the RSA offering.

This a post of my reflections on the experience and some lessons learned which will hopefully benefit anyone needing to this currently or in the future...

Security Return On Investment (ROI)

Regardless of where I have worked both in consulting / professional services (trying to sell stuff) and as an end user / industry (trying to get funding to buy stuff) security ROI has always been a challenging topic.

Ultimately in seven years in security (not long I know to get this smart) I have only seen one effective reason for any expenditure on security.

Blizzard WoW SC2 Real-ID


Hello world!!

For my very first entry something that has a nice intersection of my interests/passions: gaming and information security - identity management: Blizzards decision to introduce realid (a system that shows your real name when you post on forums as well as when you are playing a Blizzard game such as World of Warcraft or the upcoming Starcraft 2). This is a major (for gamers and infosec people) change from what it used to be which was your handle or character name was displayed only.

Just like sex and humour everything is in the timing, I am not going to rant about the evils of realid because interestingly enough bowing to public / pundit opinions Blizzard has just announced that realid will be scrapped. As people know me would attest though, that is not going to stop me from having an opinion about it and I actually hope that it gets introduced in an improved form.

Kim Cameron who I respect immensely and who I have been a follower of for a while has an excellent post on the topic where he naturally ties it to his laws of identity. I really want to elaborate on my real life experiences implementing identity management systems in enterprises and how they comply with the laws identity but that's for another post.

I have always been a person that loved a debate and would like to think I can see the pro's and cons in most things (even killing baby kittens :). So I would like to say what I liked about this real-id proposal and what I didn't like about it. However I definitely don't sit on the fence on much so there is a thumbs up or thumbs down at the bottom.


  • It had about a 30-40% probability of significantly reducing trolling and silly forum posts - achieving key project objective not bad.
  • It is really handy to be able to know when your friend is online, regardless of the character they play and the game they play
  • As far as I am aware you could still put/change a fake name
  • From a Blizzard bottom line perspective definitely a way to leverage the massive, hugely loyal fan-base for additional monetization as a social network


  • Choice, consent and opting in - turning this on without a public/forum discussion period, a pilot and trial period, not enlisting (or not enlisting the right/motivated) IDM experts to advise or not listening to them. Also not learning any lessons from companies that done this before and got the t-shirt e.g. Facebook. Basically this and probably many other factors, resulted in a draconian system which game users very little choice, options to opt-in/out and that violated privacy and identity principles and alienated their most valuable asset
  • Potential for some very real and practical breeches of privacy and the exposure of a user identity in a context they did not approve or want e.g.:
  • The ability for someone to search on all posts for all posts by someone and then tie that to other identity identifiers that they have revealed with our without their knowledge / consent e.g. social networking sites such as Facebook / linked in or just Google which picks up things like honours and awards from schools, clubs, professional organizations
  • The potential for an in game bully to follow a target across games and characters (already a risk to a degree without real-id)
  • The ability for an employer, girlfriend/boyfriend etc to identify and link a person they know in another context (e.g. work, interview, date) to a Blizzard game profile and behaviour - some would see this as a good thing if you have nothing to hide, you behave properly and you are always "yourself" to everyone in every context. But I'm not so I have a issue with it.
  • Overall: I am glad it was scrapped because it was not designed nor implemented in manner that respected their users nor complied with privacy and identity principles. However I would be disappointed if this is the last we hear of real-id, with the right requirements, design and implementation process Blizzard could achieve their monetary and gaming experience objectives while balancing the user impact. 

Some simple suggestions which many people smarter than me have already made include:

  • don't re-invent the wheel, 
  • align to the identity laws and privacy principles e.g. EU privacy directive, 
  • provide users options such as opt-in/out, delete all posts, which characters and games real-id applies to
  • get user consent for use of their Blizzard identity in the contexts proposed - make this simple, transparent and easy to use and change
  • Comments / contrary views / corrections welcome. If you got this far, thanks for reading.


Written by